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(57) Abstract 

Protocols and architecture for secure virtual private networks. Intraenterprise data communications are supported in a secure manner 
over the Internet or other public network space with the implementation of secure virtual private networks. Memlxrs of a virtual private 
network group exchange data that may be compressed, encrypted and authenticated, if the exchange is between members of the group. 
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ARCHITECTURE FOR VIRTUAL PRIVATE NETWORKS 
BACKGROUND OF THE INV ENTION 

1. Related Information 

The present invention is related to the one described in copending U.S. Patent 
5 Application entitled ''An Apparatus for Implementing Virtual Private Networks," 
Serial No. 08/874,091 [Attorney Docket No. 20155-702], assigned to the assignee of 
the present application and filed concurrently herewith. 

2. Field of the Invention 

The present invention relates to the field of data communications. More 
10 particularly, the present invention relates to techniques for implementing secure 
virtual private networks over public or otherwise insecure data communications 
infrastructures. . 

3. Background 

In recent years organizations have come to rely heavily on the ability to 

15 transmit electronic data between members of the organization. Such data typically ' 
includes electronic mail and file sharing or file transfer. In a centralized, single site 
organization, these transfers of electronic data are most commonly facilitated by a 
local area network (LAN) installed and operated by the particular enterprise. 

Preventing unauthorized access to data traversing an enterprise's LAN is 

20 relatively straightforw^r^.. .Jl^i^^appUe^ b(^^^^yn^.j^thorized accesses by members of 
the enterprise and, mq^r^^ As long as. 

intelligent network management is, maintained, unauthorized.accesses to data 
traversing an^enterprise's internal LAN.tare relatively easilviavoided. It is when the 
enterprise spans multiple sites4hat security threats frbm the' outside become a major 

2:> concern. - . -r-^:^.:.^ y - - 

' - For distributed enterprises^hat desire the conveniences of the above-described 

electronic dSta transfers, there afe;')ieve!j:^i options that exist today ."but each with 
associated disadvantages. The first option is to interconnect the offices or various. . 
sites with dedicated, or private- communications connections 'often referred to as • \ •* 

30 leased lines. This is the traditional method organizations lise to implement a wide 
area network (WAN). The disadvantages of implementing an enterprise owned and 



wo 98/57465 



2 



PCT/US98/12229 



controlled WAN are dbviotisi they -dfe^xpeh^ive; cumBers^ akid frc^ueiitly^ 
underutilized if they are established to handle thW r^^ capacity requirements of the 
enterprise:^ the obvious advantage" to this approacffis that the lines are dedicated for 
use by the enterprise and are therefore secureror' ireasbhably secure, from 
5 eavesdiioppingror tampering by-iritem^ ' ^ ' 

= ■: - An"alt'emative'to'the use^F dedicated' commuMSi^ area 
I - %- -network'is^for annentterpris^ Handle interslty*data-dikributiohs*ov^r t^ 

; public-network spacer Over recent yea^rsrthe Ihterrret^Has trans itibh^dtrom being 
: . pi-imarily a tool for scientists and 'academi 
1 0 ' communicatroris-with bread^rtoging lousiness -impH provides " 

electronic; cbrainunications paths "between-miilions of cbmputers by IntercdfuiWeting 
the various networks upon Which -th^exonipulersVeside. It has become 
• comnionplacej even routine; for ehteipriseS. -eVen thbse*ih nontechnical fields, to 
; provide Internet access to atjeast sdnie: pdrtib'ri of the computers \v'ith'in the'ehterprise. 
1 5 For^many-businesses thiS' facilitates comiTiuhicatioris with customers, potential 
I■business;paFtners^aswel^as-thVdistr'^^ ' - 

* M . - Distributed ehterprises' have found' that -tire Ihtbmfefi's^ a convenient tool to 
- -' Provide electronic conunUnfc'atioris^between membe'rs'bf the enterprise. ' For example, 
two remote sites within the enterprise 'may each conhec^^ to the Internet through a local 
20; Internet Service Provider:(ISP)f This Enables the- varibus-members^of the enterprise' to 

communicate with- o'ther sites on^the-Interhet including those Vvi thin their bvvn '"' 
' .organization. -The limiting disadvantage of using the l-nterhet for intm-enterprise 
- . ieommunications is-that the Internet- is"a-'F/ublic'netWork space: The'-route by'vvhich 

data communication travel from -poinMb' point can Vafy-on aper packet basis, and is 
25 essentially indetemiinate. Further, the data protocols for transmitting infornikibn ' ~ 

. over the various networks of the'-Iriremet are' widely kndvvn: and leave electronic 
.. . ; -communreations^susceptibletto inteYCJfeptio'n and eavesdropping with- packets being 
■ replicated.at most interm.ediateh0ps.-:An^vehijfeat*er concern arises when it is 
noijrealized that conimunications:can be-medrfied-in-transit'Of even initiated by " ' 
30 ; impostors-: With these disconcerting risks, most enterprises are unwilling to subject 
their proprietar>' and confidential internal comniunications to the exposure of the 
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public network sp.ace..J:or many.prganizations it is common. today to not only have 
Internet access provided at,g;ach site, but also to maintain the existing dedicated 
communications paths for internal enterprise- communications, with all of the : . 
attendant disadvantages .described. above... : . .. • .t* , *. . 

5 While various encryption .andj0.therj prpteGtionrrnechanismsihaye been /' 

developed for data .cpmmu^icatio^^ none completely! and adequately addresses the 
,;Concems rais.ed fqrallpwiogjanfenterpris? tO[tiruly*rplyiG;n.tAe;publiieine for 
, secure intra-enteiprise. data _^qmm it would b,e cl<?sii:ablev^ and .is therefore 

an objec;,pf the.pfese.nt iiweAtion to prpyide -SMcbj-mecha allow the 

1 0 distribute^! entprpri^ to re.l>^ solely, on x\^p publiq-networfc space, fori intra-enterprise 
, ^communij^ations vyithout cpncer)^^^ - . 

, . . SUiyiMAR¥..^F :THE:INV;ENTIQN--.v :i -ivi. . 

^ . . : . : Froni the foregoing it can ,be sQpn that it wpuld be d.e.sijable andradvaniageous 

to develop.protocols and.arjchitepture tp;allpv^^^ organization or enterprise to 

15 rely pn,the publiCjnetvvprk spiaqe for:;S^ : '/ 

communications. .^Xhg, present. inventipnJs .thus diT^pte^^^ taward the protocols arid 
architej^jure for impjementing.securejVirtual pri-y ate. networks 'over'the Internet or 
other public ne.tw^prk systems.; -The archi.tecture ot;the:ptFe,senJ ihiYention introduces a 
• site [?rpiecior,or virtual priya^ jietwQrk^^^^ 
20 comniunications bet\\;een;mem^ers.oraidefin VPN; group. In accordance ivvith one 
ernbpdiment pf the present inyentipn,.thef site iprpteetDr- resides ^an the WAN: side of 
the si.te;s rputer.pr rputingi apparatus which is usedao cannect the: enterprise site to the 
- Internet. In.alteniatiye embodimentS;i\the::silei^^^ on the LAN side of 

the router.. Jhe essential pwj.int for all embodiments, is that the site protector be. in the 
25 ,,path.jof all releyant.dp:ta:lraffic,,. jr,. -^m^.^-I .:?J-.r:ir'::v: J' m ••'.i.r.;- : . 

, , .Toensure'SeQure; ,data communicgtiQ^^ ihembers of .the same VPN 

grpup, the . site protector or^yRI>J .u;iijt ijn^ple^rient'S a cotobipation -of; techniques for data 
packet handling when papk^ts-arejto be. sent betwQcn members of the group-i.'The 
packet handling proce-sses^inGludeivaiiipus cqrnbinauons.af compression^ encryption 
30 and authentication, the . rules for each of which may var>' for. members of different ' 
groups. For each group defined as a virtual private network, the various parameters 
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•defining the compression, encryption'anU'^^^^^^ hiaintaineli in lookup 

tables in the associated VPN Units. ^The lobku'p"tabies^ infonnation not only 

for fixed" address menibers of the'group but support is also 'provided for remote 
clients*- This' ability allows rembte users to dial iritb a locial Internet Service Provider 
5 ^ ' and still fnaintairi-^inernbership in private neif work group for secure 

eommunicktions over the Internet with^other mem^ group. Ih'the case of a 

remote -cliehtv -the site prot'bttor'may]!!! m^^^^ by software 

ninning on {lie remote; clie/il/ > '-"^^a i L> -J f : 

' ' Iri-'othcr 'aspects bf the 'pVesbnt i'nve^ri^ the VPN umts or site protectors may 
! 0 be dynamically configured to add or' Subtract* members from the virtual private" ' 
■ ■ network group or recognize their mo vement; o'r change 'other pararnefers affecting the 
group/ Various other packet 'handlirig-aspects of the invention include addressing the 
' problem of sortie 'data 'packets growing to'o' large by'the incliisibn of encty^^^^ 
authehtic'atioh information. A'nother packeFhdhdling 'asp'e^^ for 
1 5 ' Internet communications which hides information identifying the sourte; and " 

'^destinati6n'of the data packt^ti' In' thik Aspect of the present invention, the'VPN units 
are-treatetf as the^ source and destination for the^ntefnet 'communis 
• with the VPN units' 'ehcapsiilat iiig the 'source ' and destihation addressed of the 
endstations. ■ ^ - -'-* ' " ■ ■ " -^r/^t-:' 'a:rv; ' n::.:-' :-j •> . /:. v : . ' ' r 

20 BRIEF DESCRIPTION OF TO 

■ ^ - The objects,- features ahd-advahtages of the preserit ihventioiv willb apparent 
from 'the following detaiTed de'scnptibh/in \vhich:' ' - - - " ' * " • ' 

Figure f illustrates- a prior art 'c^^ 
' intraenterprise communication -arc^^^^^ ^' ' " ^ - - ' ■ - * ^ ' 

25 - Figure ^2 illustrates an enterprise ^eommunic 

the jpresent invention utilizihgUhe^hfern'et'of 'other publi space as 'the Vehicle 

for conveying messages bet-vveen members of k^virtiial private network. " - - 
^ - ' - t ' Figure 3 illustrates a flow diagram^ for the handling of a packet being - * ' ^- ' 
^ - transmitted -from 'One member of virtual private; network group* to' another member 
30 over the Intemeft: ' - ' ^-'^^ , = . -^ i.. ... . ' n 
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. Figure 4 .illustrates the handli|ig^^^^ d^ta packet received over the Internet by 

one member of a virtual pri^^e .network group^froni another mernber. , 

Figure 5 illustrates graphically the life cycle.pf a data packet being se;nt from 
one member of a virtual private, petvvork grpup to. another over the Jntemet. : . . 
5 Figure 6 Ulustrates.an,^ltp,rna,M; life cyxle of a dsaa packet being sent -from one 

member of a virtual private. ng^wpxk.gj^Qup . to the-InternetAyhere the 

source and destination addre3.^es^g,fj.^^^^ ■ 
DETAILED DESCRIPTION OF TIJE INVENT ; 
Protocols apd an .arcjii^^^ foramplernenting secure virtual 

1 0 private networks for ejntj^rprisc.cgmmunications oyer the Jnternet.or qtheripublic 

network space.. Although thpj.pres.ent invjentip,a, is . described predominantly . ia terms of 
utilizing the. Internet as, ?i cpTOmunicatj.c)ns.medium,;thex^^ rnetho.ds are 

broad enough to aocprnplish^the imple^eptatioa, of secure yirti^al, private networks 
over other public Q^pn^qp^^ Tlirqughqutthis^d^^^ 

1 5 description,,nu.m^rQus: specific detaUs are,.^et.fo[rthjSuch as particular encryption .or key 
managernent prqtQcoJs, m. prde provi^de .a thorough unde^r^^ pf the present - 

invention, . To one,ski^led,in thp.,art, however,:i\;yyilJ^^^^ present 
invention may be practiced. \yijhouLsuch.specifig well- 
known control structures and system components have not been shown in detail in 

20 order not to obscure the jpresent^irive^^^ ^'^^i % 

. , In many -instances, comp9nenis,irnplefl3ented by the present invention are 
described at an architectural, functional, leychylyf^jiwpft^^^ may be , .-v 

configured using well -knovvn structure?, partqufarly those designated a,s relating to 
various compression or encryption technique^*:- Additipnally, fe^ to be included 

25 within.the. system of the present jnyent ion,, fim^^ and; flow diagrams are 

described in-such a manne.r that^those. pf o^rdin^r^- *skilL in the art.\yilL be able to. 
implement Xhe particular methods yvithout .undue experimentation,, It should also be 
understood that the techniqueS:Of the.pi;esent invention.rnay be, implemented using a 
. - variety of technologies. For examplev-the>'irtual;private netwojk-'Uni^ or^sije.protector 

30 to be described further herein may be implemented in software running on a computer 
system, or implemented in hardware utilizing either a combination of microprocessors 
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or other specially designed application specific;integrated circuitsj programmable 
logic devices; or various combinations thereoff n v^liltbe ^understood by those skilled 
'■ in the art- that the present invention is not limited to :any onfe particular implementation 
- technique and those of ordinary :skiH in the art, once the functionality to be carried out 
5 by.suchxompbnents" is described;/will be.able to implement the^inventiori with various 

technologies without undue experirnentation. ^ oj r; ; . = ..^ 

: ■ i-: vr-Referring now.to Fi'gure'il .there is ^shovvn. a traditional scenario fdr intra- 
enterprise data ^communications fona.distributedfor^ganization.-i irn this" illustration of 
an exemplary. organizationlconfiguration, the. enterprise consists^of a-headquarters 
1 0 location.;! 05, with additional isites. or branches 1 10 and: !. 12; respectively! -In modem 
organizationsrsuch as the;exemplan>'\one of FigureJ, the headquarters - site 105'as 
- v/ell asahe;branch sites 1 lQ:andiM2 may each comprise numerous personneh many of 
• whom.-are .provided' with computers.Qr: work;.stations-with network access; The 

internal network configurationsjat the; headquarters for. branches. may take many forms 
15 including one or several local area networks (LANs)./. For inlei-site communications ' 
between ihe'adquarters . and . the branches j dedicated or .leased communications lines 115 
-. and 120-may be; provided.'./ In addili.on. an optional dedicated^communications path 
>l25:may be.p^o^^ided betw'een ,the,branche As an alternative to the 

■ optional dedicated c6mmuniGationsiine:425..betvv the. branches, .data: packets- 
20 between branch 10 and. branch; i42.mayibe^routed^ through the headq'uarters'-network* 
equipment. ■ y^u: .'1'l:-).ca\Aa.:'- .-.i :^ ? • t., , i 

' r . ' In addition to the . dedijcated cpmmunicatipns:1ines betv 

and the various branches, it is common today to provide computer users within an 
organization access ;to the Internet fGr-electronic mail, to external parties :as well as for 
25 ... doing ;various types of research pwr.fthejnternet using sUch; tools as the World Wide- 
Web;.etc; u\s shown in; Fi-gurerly the jusual scenarip-vyhere .the. headquarters', site 105 
and the. branches. 1 10 and Ll:2 arc eachiseparately provided with direct access to 
.'.-\internet Serv.ice:Proyiders I30; 133 and 136,; respectively;. .This facilities the users at 
the .various sites- with their access itp.t he .Internet forthe above purposes., In an : 
30 altemate configuration, it may be that only the headquarters site 105 is provided with 
access to an Internet service provider 130. and that users of the computers of the. 
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branch sites 1 10; and l liZ wilJiConnQct-tO/the Internet. through headquarters via their 
dedicated communicgit;ionsf|iaih$ W5 and 120.;.-Therdo\vTiside to this alternate, . 
configuration is that it greatly increaseis the bandwidth rutrlization on the dedicated 
lines, perhaps to the point 6J saturation. iAn advantage, is/ thai only one gateway to the 
5 Internet need he. provided f^r.the organizatibn" which siniplifiesxnforcing security 
constraints on connections to the outside.world. v^a.. ' i o;:.iv ^i- ■ • 

Tj,:' In the exemplary =drgmiizat ion! ?10iQ, «itr is also'sh'dwn that inTsome 'circumstances 
. ;it rna,y. be desirable x^raUow-c^siomerS ijr/bther.b^ dial in directly to 

. the QQrnput^r network: of theiorganizatiom IiiiFigure-^lr.itiis illustrated'that the 
10 . , custonaer 140 may in fact: carry dut sucb'^x:omrnunications bvbra^comitianications path 
145 which may. be :a dedicatedJine provided between the -Customer andthe * 
organization for the customer/'s coavenience. -The path 145 may-als'o:be'a dial-up line 
which the. customer might use onterspopadicaHy ; Consistent vvitlifthe'emerging use of 
. theJntemet and its popularity. the: customer- 140 is shown Having .i^s x)vvn Internet ' 
15 . connection..through;lSB-i48. ' -H.i . <>!io-//r.^*- :^ ^ ■ : 

. : , : i . ' Finally-'there is shown in Ergord l-.that^iti^ freq^uently desirable for others 
members of the enterprise: who may be m\ the Foad of Working froiti home or other 
remote ^locations to: exchange! data' wfitlvdt^T^r mehab'^rs'O^ Thefe is thus 

shown remote clients li50^ard*::=1.55 com m^ni^ ailing- Avith the over long 
20 ' distance.telephorie*ii'nes!4-57 tihd'a5-8.-'-Tbi^iexamj)lea^ • 
are in a truly remote location from the headquarters. The remote clients 1.50 and 155 
are.alsovrespecm'ely'shown^having fo'cati^CGeSs^o^tie lnrtemet through local ISPs 160 
' andj"l65.- - .-^-q': \> - . : v,.:>oj -iC/Hw^i"- ^. li . • v / *• ' : 

■■: . ^'j.-- .<iThe above'descriptiori'Of'an'^erlter^rises data com'^ cohfiguration 
25 acbording to Figure U -illmrates thS^dis^ddvania^ 

. These dis'adVantages! aFe"eliminate;d'b\'j irrrjylerrientatton of the -present' invention- as 

illustrated-g^nerally vvith reference to Figure • = 

- commuriiclation-cdnfiguratioiVZOOill'ustTated in t^igure'2v the- headquarters 105; first 
branch 110 and second branch 1 12'of the-OFganizatton are illustrated in.ajnore -: 
30 detailed logical way then presented in Figure ! .-Thus, the headquarters 105 is- ^ 
illustrated with three endstations 201. 202 and -203; respectively coupled to 
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-communicate data packets over local area network (LAN) 205 r '^Likewise, the branch 
site 1 1 0 is shown having a plurality of endstations^2i 1 ; 2 1 2 and 2 1 3 'respectively 
. .coupled to communicate data -locally over LAN 215: Finally; the second branch site 
1 12 is shovvti with an illustrative set of computer stations 22 K 222 and 223 connected 
5 .: to commti'nicate over LAN 225; The customer site 140 is also illustrated in Figure 2 
.as . comprising of plurality- of co^mputers -illustrated by 331*and'332 coupled to 
L -communicate over -the customer 's^LAN 235/ The local areVneVwbrks utilized for data 
communfcations-vvithin the'headq^uahfers, 'custbrn^'i arid'bVanfch^ sites may 'adhere to a 
wide variety of network pfotocols/thc niost common^of which are Ethernet and Token 
10; Ring, j I.',. I;-. : • c ..,.>: * ' . 1 / : ' : ' 

r . r-r^.' -As can ^be seen ^in Figure-2l4h^^dedicated communications linek between'thc 
headquarters site: I05r and the/ branch site^^^l 10 and l 12 as well as between the ' * 
\ / headquarters site ii)5i and the customers site 140 have been' eliminated. Instead/in 
accordariQe with thei present invention'idata cornmunications betweeh'mernbers of the 
15 organization areantended'to'fee carried' out over the Internet or other public network 
: space.. For purposes'-of the present i'nVehtlch:' it will bW assumed that it is the widely 
emerging Internet that will b^^he^medium for data packet transfers between members 
of the organization. .''"-...^''^ii i ; _ ; 

: ' Each of theXANs^for .the-p^^^ 
20 interconneci to the Internet' 550 tlifSugh^ah associated routing- 6r gateway device' 
which are Identified as routers 24'0V^242/2-14-and-24'6,- resp'ective'iy. It is^to'be --^ 
^ understood that data packets conveyed betWeen a variou^ sites illustrated in 200 ' ' 

would traverse, in ^many- cases-, a pi-urality cf-additibnai routing devices oh their way 
' -between tHe source and destination :s'ites for the packets. The mechanisms for data 
25 -packet-transfers over the Intemst'are.w:ell-kncwn and are-not described in ^grcat detail ' 
^/iiereim ' It-is understood that data^packe'ts afre- assembled in accordance with the * 
' Internet Protocol (IP) and are ieferred to herein as IF packets regardless of the version 
: • of^he Internet protocol presently^ in effect/ In: the^ case of the remote clients 1 50 and 
1 55. illustrated ;in Figurc- 2^it is understood that'th'ey utilize communication software to 
30 dial up a local Internet service provider which itself provides the gateways necessary * 
for communications over the Internet 250. 
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..... . As has .been described abovje, prior effQrtSjto utilize the Internet for secure data 

communications have requjrf^d an awareness pr iipplementation of securityi . 
. considerations at.the endstations. This is disad.yantageous when transparency: to an 
end yser is desirable. The. present invention, on the other hand is transparent to end 
5 users with data communications over the Internet occurring exactly aS'they appear to 
have .before. Ho.vyeyer, ^for us^rs identified-as menjbers of the.same viirtual private 
netvyork, data communications are; handled; mja.mann.ei>t^ security and 

integrity pf.thQ^ata. packets. .Illustrated in Figure. 2, between the.Intemet^SS.Oiand 
each.qf the respective. routers, 240, 242, 244.and 246,. are VirtualfPrivate,Net\ybrk 
10 Units (VPNUs) 250, 252, 254 and 256. In accordance with the particular illustrated 
embodiment, of the .present invention. .the^VPNlJs^ reside -betyveen a site's router and 
the path,to the Internet. It shoul.djbe understood that; this placement,of:YPN: units in 
the .overall system architecture represents cnly-one placement' choice.- ilt will be clear 
. ^, from the materials that foil ovy-^thatthete^ respect toiypNU--pladement is 

1 5 that they reside in the path of*data traffic., In^rnanyvembodiments/it may in fact prove 
desirable to .situate jthe VPNU on the LAN sidLe;pf a^ si|te ;$: router.',-A.s >viir.be described 
in more detail belovv. the, VPN units, maintain lookup^tables:for identifying -members 
of specific virtual private network groups, j:. o - 

f . .WhenAdatfi packet-is. sent between s^ouKce'^uid idestinatioh addresses that are 
20 both rnembers.of the same VPN group,. thr.;yF^N,U'vVillipr^ the data packet-from 
the se^nding ^side in such ,a Ava>i as to.^eiisure 'ihaii it 'Encrypted, authenticated and - 
optipnaily cpmpFcssedf Likewis.e,-the VPNU seryicing,the.S;ite where the- destination 
...address. is locpted will (detect that a packet is, being prppagated between members of 
rthe. same VPN.-grpup. The, receiving VPNU ^wili: handle the process of decrypting and 
25 authenticating the packet before forwarding -it to w^ard the destination endstationr. In 
this way, secure data communications .betvyeen end users is effected in a manner that 
. is transparent.to the end users. In the c.ase, .of remote .Qlienls 150 and 155,- the VPNU 
may be simulated in software which operates in; conjunction with the communication 
softvyare for connecting, the remote-client to the,associated local Internet sen\-ice": : 
30 provider.^ ^ ' ^ : - - • . .: w ' . • 
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^: The functionality of the V-PN units;will-be desfcribed vvith Vefeience to the 
following figures beginning with the flovvchart of Figure 3; When a data packet 
. .originates from an endstation, such^as endstation 202 of LAN 205 atsite'105, and its 
..destination is to a remote site, other than the headquarters site 1 05*, it will initially be 
5 treated as an ordinary Intemet:data packet transfer.- The'packet will proceed from the' 
endstation 202 over the.LAN-205ao-.the.routihg device 240-which will encapsulate the 
^ "data packe^^in accordance^with the Internet PrdtocohTorming an outbound IP packet. 
On its way out of the site, the IP packet will pass through the associated VPN Unit for 
• the site, Jhe:flo.wchart'il!ustratedat Figure 3 shows*the'fuh(:tiofial 'operation of a VPN 
10 unit:for.an outbound packet thai is received thereby: The Tr^nsmit-Packe^ 
, 30Q.begins.when' the outbound datapacketls received at- 1^^^ 

, decision bqx 120, it is:deteiTained:whcther or- not the 'source anddestiriation addresses 
- for lhe^dat^ipacket'are.both members ofcthe'Saime VPN group/ This determination 
..may be made with reference toiookup-tables that^are maimained by the VPN units or 
15 reference tp other memory mechanisms;vThis step may-be thou of as^membef 
flittering for .data>packets:being..fronsmil^^^^ ^betvveen the particular site and the VPN 
.unit which, services, it.-: If the-sourre and destination address for the data packet are not 
both members-of the same VPN group; then ar:step330 the pa'cket is forwarded to the 
Internet as ordinary Internet traffic from tlfeisite- as though thd VPNU were not '- ■ 
20 involved. In which case, the procedure.ends afstep 335/ ' In one-alternative 

• ernbo.dimenlv it may.be.desirable:to5aiscard data^traffic^that-is not between 
members, of a VPN. group- ratherithan forwarding it as unseeure traffic. In'anbther 
. alternative embodiment, iLriiay be-desirable to provide the option to either pass'or 
. discard non-VPN-group,dataAraffic:/„: * . . / ■ \; „ . . j ' - . . = ' i.-. 
25 . ^ : i If,, at decision box 320. the hiember filter, it is-d^^ 

V and destination addresses for the data' packet :afe rhembers of the .same VPN group, 
then the data packet is .processediat stepv340-: undergoing various combinations of 
compression, encryption and. authentication. The -lookup tables maintained by the 
: , VI?NvUnit:350 and all of the VPNiUnitSv in.addition to identifying members of-- 
30 particular VPN groups: also identify whether or not data packets -transferred between * 
members of the particular VPN group are to be compressed and if so. what algorithm 
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is to be usedfor cpmpressipn Many. possible tdmpression algorithms are well- 
known, byt in one enibodiiBCTt- of the invention/ LZWconipression is implemented. 
The lockup table for the VPtsI group of which the; source and destinatioipaddfesses are 
membjers also identifies the:particular encryption algorithm to be used for data packets 
5 traversing the Intern^et for ,that.yP>I group as welhas the authentication arid key • = 
management protocol: infojn^Pi^^pn 40^ thereby:. As an alternative to lookup 

_ tables, th^.VPNy.may^biefRrqgi^nime^ tpfalwaysjuse the sarhe algorithhiis^for'all VPN 
.group^-v L.-:}f;i:yi;':r. 'i»>:-.'vn ■* • • * ' 

' , The particular.packgt^o.cessing. algorithm 

10 vary,. soigng^s .the lookup tables- in both the sending and receiving^VPN^ units 

. .identify tlie^same comprqssionvencryptipaand authentication rules and are capable of 
i.mplernenxmg and deiniplementing them- for members ofthe sanie'group.' It is to be 
understood that arsingle VPNIJ may ^QrMe. multiple. VPN groups and that particuFar 
addresses may be members, of niultiplei groups/. Thus, at step 340. when a packet is 

1 5 destined.frorn.one member.pf the VPNigroup to.anotheF, the packet is processecl"^ 
according to.;he cpmpressijo.i),, encryption-and'authentication rules identified in -the 
VPNU tables: for that partiqulai; VPJN gcoup.LThenv at step 350,- the-processed paicket 
; is, forwarded toward, the . destin^iipn addres.s over the Internet. The procedure of the 
sending^yPN gnit theij eiidsfat.^tep35i.! -f . ■ 

20 .Thfeyrepei.ving VPNU. reverses thti^abote processes for VPN traffic as " 

. illustra,ted-byjhj2,flpwcbart-,p^^ TJie:Receive^Packet procedure 400 begins at 

step 410 when: an ilibound data* packet is-FeGeiveditrom-the Internet at the receiving 
VPNcunit. At decision •.box..420, the inboundvdatai packet is:exam*ned to-detemiihe if 
the source and destination addresses of the data:packct 'a're both members of the same 

25 . VPN group.. jIt ilassunied thatithe lookup. tablesirtia'intained by.ailpf the VPN units 
are both eons.tsient and eoherenti .if.the inbound datQipacket is determined not to be 
VPN traffic, then the packet is. palssaed through and-for.warded to the receiving >^ite as 
though .it.were normaflnternet data traffic. at- step.'4S0:' In whicb'case the-pro'cess ends 
at step 435. In one alternative embodiment, it mayibfe desirable Xo discard incoming 

30 data traffic that is not from an identified memberrof a VPN group supported by the 
VPNU. . • • 
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- . For-data.. packets that.are determhied' t'o tee 'VPlsI trafficat dfecision box 420, the 
' . VPN unit will process the inbb'iind packet fc recov;^rt^^^^ packet as it was 

■ . ^ provided from the;Souree;endstationu-The'lookup table maintained by the receiving 
^ . -VPN. :unit.\viil identify, therconqpressionv'encr^^^ authentication rules used for 

5 .;:the .VPN' grAupiand- reconstruct the original IP packef'in accordance with those rules at 
step 440; Them the reconstructed- packet will Be deliVefeci tathe site *of the 
-.l;: des-tinatianraddressat 450. -witkit^^ .procedure endirig 'at step 455; - ■ ' 

: . )rii F:igare-5;il'rustrates.igraphiGally. the life eyele bf the data packet* sent between 
two members of the samCrVPN group.vThe^data packet-originates- from a sburce-500 
10 and propagates from the sources site through its associated router to generate IP data 
packet 540..,^;The data packet '5 10 is. not int'ended to .illustrate' all the fields^ associated 
... with a, complete, tp data packet; but show^s the: relevant portions for this discussion 

which, include the d^stihatiori.address-i^ source^address and the paylbad information of 
. : the packed.-' Thedata packet.5 1 0 :is^then examined by the^VPN' unit which determines 
1 5 whether the.data packet is traffic betweeriTOembers 'of-an' identified VPN group: The 
VPN.unit.520.processes'the packet in.accordanee-with the-pacfcet processing* ' • 
iprocedures described: above -with- respeet,to Figure 3^with the resulting packet being 
illustrated as.packet530/..Packet,5;3:0 stiir identifies'the destination and source — 
addresses of the data'packetv,but lhe;:rem'aiiader/bf the packet is ericrj'pted, and ' 
20 optionally compressed. - <^ :',JjL^:^:^n] ci:..--.':'i io':;.r.. . ; *: 

J Following pr.ocessingiby the Qutbo.und VPNUrthe data packet is:prbpagated 
through the Internet to 550 with the destination and source information identifying to 
. ..J,he associatedirouters of the Internet- the path'by which the packet shouldiultimately 
take to reach its .destination. -The .packet emerges from the Internet.at the edge of the 
25 destination site as^data packet 54Q. Ayhichds Essentially identicaLto the dataipacket ' T 
530., The packet is "deprocessed'';by4he receiving YPN unit o5Q which restores the 
^:=priginal packet into its form 560 Jej deliyery;^ to 'the- ultimate destination through, the 
: • receiving site's associated rQUter at destrnatiori 570: :• ; ■ i - - 

; : i:....-.:As/was.described,above. thepresent-^invention.approach to virtual private. 
30 ' : . networks supports not only optional compression of data packets, but encryption and 
authentication techniques as well. One emerging standard for key management in 
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. connection, with Internet PrQtOGol data transfers with authentication is referred to as 
simple key manageiT>ent:-fQr-haternet Protocol (SKIP) which is described by US Patent 
5,588,060 assigned tO/Sun MiccQsys terns, Inc.- of Mountain View; CA.- Authenticated 
data transfers using SKIP s;upp,Qrt.a:mode of data transfer- referred to as^tunnermode. 
5 The above described daja.trariisfei: withjrespect tb Figure 5 illustrates a tri^nsport mod^ 
of operation . in , whicl;v the ^ataiand! source addresses are exposed as the data "packet 
traverses the Intemet^.-In ^uritneLniodjeJaaadded^measure of securfty-m'ay b^^prbvided 
by encppsulating'the ientire dat^^ packet Avhich- identifies the source 

•and,^sUna>^iQn addre^ses^^ theJiVP^^:units./This• Gonceais'the 'uhVnitate source 

10 ^and destination addresses in tcemsit-. ri:;-y v;:': . ' ^i -' - ■ * • - 'curyrn : 

Figure-jS illustrates.jthe life cycle. of a;data packet- being/prop^gated from a 
source. 600 to- a destination 670 ulilizixig. tunnel riiodeS: - In this mode of b'peration. the 
data packet i6 10 is processed by (i>utbound VPNU.620 which geneYatfes'a^ resulting 
. . - packet:>630.. The ^esuUing packeti^lOiencrypts^aiid Comi^resses ^optionally) not dnly 
15 . ; the data payload:of th'e;packet>.but theidestinatibnia'nd^s'ource^^ " ' 

endstatipns as well., JFhe; encapsulated packet is then prbvided with an' additional 
header that identifies that the-sourQe-bflhe: packet; is'the ^outbound- VPNU 620^ and that 
the glestina:tk)n.is the inbound.'YPNU:65Q:eTKus, the'45bcket*^640 which emelrges from 
the Internet is -identical:tO;'the packet^.6D0^with irespec^^^^ address ' • , 

20 information and encapsulated pay load. The packet is decomposed by 4hc' inbound 

/ .VPNU.650 to. reconstruct the original dataipacktt'idt eeO'-'for dlilivery to the destination 
670- *r :.i ■-••v' -li r ; *o:;;.r::.ri^ --b nli /<• < -C C ■. ... . 

';T'';;Jrhe overall architectirre^of the'pres'ehtirrv^Atioii'is'robus^^^^ 
the converiience o£piioprietary data:comnTunicati6iis to take place over a public 
25 network: space such.as the Intemel/rvJherfarGhitedtare oPthe' present invention also 

allows a: wide 'Variety fof compression;. enci%^ptlibh.and:authenticafio techi\6logies to 
^ be implemented; so long as the.VPN/units^at 'eicK-'ehd of thearartsaction'siipport the 
associated protocols. The preterit invention-is also^capkble of working in concert with 
traditional Internet securitymechantsms such as corpo-pateTirewalls'.- A firewall might 
30 operate in series with the VPN unit at a giveri site; or, intelligently be configured in a 



WO'98/5746S ' " . PCT/US98/12229 

14 

single box with the VPN unit to pVbvide'parallel firewall and VPN unit security 
functions. - ' ■! ' 

. ' " There has thus-been described a protocbi and archi'te^^^^^ 
- virtual private networks for uSing^a piiblic network' sjjace for secure private network 
! data communications. Although the present invention has been described with respect 
to certain exemplary- and implemented embodiniehVsHi sl&uld-be understood that 
those of ofdinafy skill ih tfieaH Will' readily-apijfeciafe-vffib to the 

present invention. Accordingly, the spirit and scope of tfte presfent' inVeiitidri should ' 
•be measur^-'by'thei term^of the "cla-afts ••Wfiich''f6llow.' • - 
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What is claimed is: * i. - . 

1 1. .... A method; for sending a data packet from. a, first member of a virtual 

2 private network to a second member of said virtyal, private .net workup the 

3 steps of: . . ; / •'.fr;-: . ^ ,:-}in r;c[\ ; - . ! ; :^ i 

4 , . . receiving said,data packet e^oute-to. said second member; .-^ / 

5 , , determining^hats.aid.data^pa^^ 

6 r .said virtual private^.netwprk; ^ru-.-yc brt. ::-):n\-,rv: ./^ v. -i^ ^^'in 

7 determining the placket rnanipulation rules for, packets;sent between 

8 members of said virtual private network; 

9 forming a secure data packet by executing said packet manipulation 

10 rules on said data packet; and 

1 1 forwarding said secure data packet to said second member of said 

12 virtual private network. 

1 2. The method according to claim 1 wherein said step of determining that 

2 said data packet is being sent between members of said virtual private network 

3 comprises the step of comparing the source and destination addresses of the data 

4 packet to addresses stored in a virtual private network address table. 

1 3. The method according to claim 1 wherein said step of determining the 

2 packet manipulation rules comprises the step of accessing a lookup table that 

3 maintains information identifying compression, encryption and authentication 

4 algorithms to be utilized for data packets sent between members of the virtual private 

5 network. 

1 4. The method according to claim 3 wherein said step of forming a secure 

2 data packet comprises the steps of: 

3 encrypting at least a payload portion of the data packet according to the 

4 identified encryption algorithm; and 

5 providing authentication information for the data packet according to 

6 the identified authentication algorithm. 
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2 d , " t \ ' ^ '^'^^ "^"^^^^ ^^^''^ ^^^^ " -cure 

data pace, comprises ,he s,ep ^^f^^i^^^ '^^,^ ^ 



packet according ,o fte cbn;^r'es.i<>„ algorithrr, idemified: " 

6 . The me.hodacciVa«gio claim 5 wherein said cornpressing step occurs 
prior/to- said encryptihg-s'tep.'-'* - - ' - 

2 - .packennclu*s *e-s.e,.-6f'co**a«b-',h^sourceS^^ 

l-dce. «corftag to A. i<ta«iifeS'iiSag,'-ri&i^i&;^-- -- 

' ' ' " ; ^"^''»a'W '-^°«?i"g-. wi-gr.;i'i^^^ 

packet sent between members nf -. x-;rt.,„r • ' • . - . - V. 

3 , ... . ^^''°^"''^"^^P'''^^'e network comprising the steps 

receiving- said secure dcita packet; "' ' ' ' 

^ '^'^^"^"'"^'h^^^^t^n-nipuiationVules'S 
5 members'Wsdid=^'rtu^fpriv'ita'HefwA*r ' '''''''' ' ^' ' ' ' 

packet by reversii.g the idektified P^ai5ket^r«an]puli^ionVu]esVar^d 

9. The method according to claii^^^X^ein saidlie^of^^ermining the 
.e^ manipulation rue c6^pris^1he ste^^f kdce^siig a l3okup table that 
^ ---n-nlbnnaa6nid.nti^in^..i^^3si^.-^^^ - 

4 ^'go^ithnis to be Utilized for data nnr^L-^fo o-hij l a- -i^in 

. ' "^^'^ P'^^*'^^^ ^^"^ between members of the virtual private 

network'.- - . ..'P-'/ j / 

I The „,e,hod according ,b't,ai^-i, WHSeii,^^d'r;^oVj^^^ 

- ■ .he s,.p of recovering .he souPcd^.hddestiKl,iWri adfe^j ofihe original data packet 
When they have been concealed. 

■ • - - n : A method for Wclit^lv^-^ihangmg cfatk ii^a members of a ' 
virtual pnvaie network 'cdmpnsinr tfi4' ife'p^ bf!'''-^"'' ' ' • - • • ^ ' 

ge^eratihgfifirstm^]ia8kef ^l^ich i,^^^^ address a 

destination address and a data payloadiJ^^^^^ ' -'^ ^ 

■ ■ ' • • ^^^"sniitting-said fifsrdata packet'^^^^^^^^^ 

• ■'"^^'•'="^P^'"t'^-''^ first data packet eto^^^ ' 
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7 



I 

2 

1 

0 



verifying that said first data packet is b^Qios ^^^^ between members of a 

8 virtual private network group; , , . . * - 

9 determining the packet manipulation ryles, for.paqkets sent between 

10 members of said virtual priyat^ network gro.up; _ .n,- ,51 !' - 

1 1 generating a second data packet by perfprming said;papkqt.r -i 

12 manipulation rules on said first data oacket; . ^. ^ 

1 3 forwarding said second data, packet, toward saicl destm^tiqn,aqdress; . 

I ..... , ! -'^^--^i '^'"''-'^ 'V'--^'^---^ 

"14 " . receiving said second dat:^ packet,;- f_ ; ..^ • onib-^'; r^i: i -/-^ ^: 

1 5 verifying that said second data packed is. being sent betvyeen members 

16" 'of said virtual private network group;. , ^r.-i^ju-i.' avi ^ - ^ 

17 * determining the packet manipulation, rulps for packets sent between 

18 members of said virtual private network gropp; , - -.L 

19 ' generating a third packet.b;^/jeversing th^ 

20 manipulation rules, said third packet including s^i4 data.pavload portion; and 

21 ' ~ '^delivering said third data pack^^ 
l"^ The method according, to claim 1 J .wherein said~^econd packet conceals 

said source and destination add^esse^ r.jfTO-.oc I ' ' 

13. ' The method according to cjaim .1 1, wherein s^i^d step .of generating a . 
third packet includes the step of recovering said sp,yr.c.e; and c^^^^ addresses for 

3 inclusion in said third packet. ir^i i - a ' ^ ■ ■ '^^ '-^- ^^ 

1 ' 14. A system for securely exchanging data packets between members of a 

2 virtual priyate network group comprising; io:/.-': i-::'- • ' ' 
a first computer at a first sitq,^^^^^ 



3 

4 address; 



5 a first .router associated with ^.aid ^rs.t site- for routing data packets ■ 

6 originating from said first comput.er q>^r a i^ub.ljg qeLvyo.rk; . , , , ;l \i:u t > 

7 a first virtual .private netwpjk. .vipit disposed between said router and 

8 said public network, said first virtual, public n,et_\vork.Mnit for identifying yirtuaj 

9 private network group data traffic and, fp,r.pepufii?g, sai^d data,traffic by manipulating 

1 0 said data traffic according to packet manipulation rules maintained by said virtual 

1 1 private network unit; 
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17 

18 

19 
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7 



4 



a second roiiter assp.ciatedTvyith-a secbnrsite for coupling said second 
site to the public network'; ' " ' ~ ' ' ' ■ ' ' ' 

a second virtual private network unit disposed between said second 
router and the public netw^rkfj^ intercepting network traffic destined for said second 
site, said second virtual pi.hlic.gtv^k unit for detecting virtual private network 
group traffic and for recovering original packet data; andl..^ • - ' . • 

a second corrir)dt4prs^Ki second site, said s&d computer having a 
second network address for rece|vi}ig^saicl packet d^fa'.-' ' "^'N 

15. The system, of clainrliwherein sa^id fifstjaiid'second virtual .privat.e 
network units include means for-'verifyihg that said^mp^d. second network ^dSesses 
are both members of said "virtual jprivate network group-. ' ' ' ' ' 

16. The lystem.6f^laim 15 wherein said first and second jC^rt.u# private 
network units each have an associated network addresses, said network traffic ' 
utilizing the virtual -privatc netwbrk^ addfes.s to conceal th^ identity of the first ahd 
second netWDTk. addresses. . , "i. .. _ 
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